Download - sysinternals demo sysinternals
Sysinternals Primer:Autoruns, Disk2Vhd, ProcDump, BgInfo and AccessChk
Aaron MargosisPrincipal ConsultantMicrosoft Services, Public Sector
Session Objectives and Takeaways
Session Objectives: Focus on features of Sysinternals toolsComplementary to Mark Russinovich’s “Case of the Unexplained” talks
Key TakeawayUse Sysinternals utilities more effectively
The Sysinternals Administrator’s Reference
The official guide to the Sysinternals toolsCovers every tool, every feature, with tips
Written by Mark Russinovichand Aaron Margosis
Available in June… (or so…)
Full chapters on the major tools:Process ExplorerProcess MonitorAutoruns
Other chapters by tool groupSecurity, process, AD, desktop, …
Updates since the last Sysinternals Primer…
sysinternals
What’s New
Process Explorer v14CPU Cycle AccountingTree CPU UsageSystem information changes
Network and disk throughput history minigraphsInterrupt and DPC counts in System Information dialogNetwork and disk I/O per-process columns
> 64 CPU support
What’s New
What’s New
Process MonitorQuick filter context menus to zoom in on particular time range in a trace.Ability to disable individual filter entriesAPI for developers interested in inserting debug output into the Process Monitor event stream
What’s New
Disk2Vhd
sysinternals
Disk2VhdCaptures an image of a physical disk to the VHD format
GUI and Command LineUses Windows Volume SnapshotDoes not copy paging or hibernation files
Can capture a running systemWorks on all supported Windows versions
Requires administrator privilege
Capture image to multiple placesUNCMapped DriveUSB
XP vs Win7
Windows XPWindows Server 2003
Windows VistaWindows 7Windows Server 2008Windows Server 2008 R2
Disk2Vhd
demo
Autoruns
sysinternals
Autoruns
Replaces System Configuration (msconfig) services and startup tabUncovers software that starts automatically by Windows through Auto-Start Extensibility Points (ASEPs)
Software applicationsInternet Explorer add-insDriversServices
Command line version – AutorunsCAnalyze offline system
Autoruns
demo
ProcDump
sysinternals
ProcDump
User-mode memory dump utilityEasier to use than AdplusMany configurable triggers
CPU or memory usageGUI hangFirst- or second-chance exceptionsTerminationPerf counter thresholds
Dump file types, including new “Miniplus” dump
ProcDump command line syntax
procdump [-c percent [-u]] [-s n] [-n count] [-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] | -x {imagefile} {dumpfile} [arguments] }
ProcDump command line syntax
procdump [-c percent [-u]] [-s n] [-n count] [-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] | -x {imagefile} {dumpfile} [arguments] }
Which process to monitor and target dump file….
ProcDump command line syntax
procdump [-c percent [-u]] [-s n] [-n count] [-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] | -x {imagefile} {dumpfile} [arguments] }
Dump criteria…
ProcDump command line syntax
procdump [-c percent [-u]] [-s n] [-n count] [-m commit] [-h] [-e [1]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] | -x {imagefile} {dumpfile} [arguments] }
How to dump the process state…
ProcDump
demo
BgInfo
sysinternals
BgInfo
Displays computer configuration on desktop wallpaperFlexible formatting options24 default fields covering OS, hardware, network, logon and timestamp attributesCustom fields from registry, env vars, WMI queries, …Log results
BgInfo
BgInfo
demo
AccessChk
sysinternals
AccessChk
Reports effective permissions on securable objectsCan perform recursive searchesSupports many object typesShows summary; can show detailed permissions
Search for access rights for a user or groupReports account rights
AccessChk
demo
Getting Started
sysinternals
Sysinternals Website Featureshttp://www.Sysinternals.com
Redirects to http://technet.microsoft.com/Sysinternals
Sysinternals Suite contains all the tools in one zip fileSite blog announces all updates
http://blogs.technet.com/Sysinternals
Run directly from the web: Sysinternals Livehttp://live.sysinternals.com/procmon.exe, or\\live.sysinternals.com\tools\procmon.exeUNC syntax requires WebClient service
Videos on troubleshooting with the tools
Additional Resources
Mark Russinovich’s blog:http://blogs.technet.com/MarkRussinovich
Blog posts and utilities by Aaron Margosishttp://blogs.msdn.com/aaron_margosishttp://blogs.technet.com/fdcc
The “Bonus Tracks” at the end of this deck
bonus tracks
Disk2Vhd command line syntax
disk2vhd [-h] drives vhdfile
-h When capturing Windows XP or Server 2003 system volumes, -h fixes up the HAL in the VHD to be compatible with Virtual PC.
drives is one or more drive letters with colons (e.g., c: d:) indicating which volumes to convert, or use “*” to indicate all volumes.
vhdfile is the full path to the VHD file to be created.
Example: disk2vhd c: e:\vhd\snapshot.vhd
Autoruns command line syntax
autoruns [-e] [[-v] -a file]
-e Run elevated (Vista and newer)-a file Save results to file.arn and then
exit-v Verify signatures
AutorunsC command line syntax(Descriptions of the options on the next slide)
autorunsc [-x] [[-a] | [-b] [-c] [-d] [-e] [-g] [-h] [-i] [-k] [-l] [-m] [-o] [-p] [-r] [-s] [-v] [-w] [[-z systemroot userprofile] | [user]]
AutorunsC command line optionsOption Description-c Print output as CSV.
-x Print output as XML.
-v Verify digital signatures.
-m Hide Microsoft entries.-z systemroot userprofile Specifies the offline system to scan
user Specifies the name of the user account for which autostart entries will be shown.Autostart types
-a Show all entries.
-b Show boot execute entries.
-d Show Appinit DLLs.
-e Show Explorer addons.
-g Show Sidebar gadgets (Vista and higher).
-h Show Image hijacks.
-i Show Internet Explorer addons.
-k Show Known DLLs.
-l Show Logon autostart entries (this is the default).
-n Show Winsock protocol and network providers.
-o Show Codecs.
-p Show Print monitor DLLs.
-r Show LSA security providers.
-s Show services and drivers.
-t Show Scheduled Tasks.
-w Show Winlogon entries.
ProcDump command line syntax(Descriptions of the options on the next slide)
procdump [-c percent [-u]] [-s n] [-n count] [-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] | -x {imagefile} {dumpfile} [arguments] }
ProcDump command line optionsOption Description
Target Process and Dump File
processname Name of the target process. Must be unique instance and already running.
PID Process ID of the target process.
dumpfile Name of dump file. Optional if process is already running; required if using –x.
-x Start the target process, using imagefile and command line arguments.
imagefile Name of executable file to launch.
arguments Optional command line arguments to pass to new process.
Dump Criteria
-c percent CPU usage above which to capture a dump.
-u Used with –c to scale threshold against number of CPUs present.
-s nUsed with –c, sets duration of high CPU usage to trigger a dump.Used with –p, sets duration of a performance counter threshold exceeded to trigger a dump.Used with –n and no other dump criteria, dumps process every n seconds.
-n count Used with –c, –s or –p, specifies number of dumps to capture.
-m commit Specifies commit charge limit in MB at which to capture a dump.
-h Capture a dump when a hung window is detected.
-e Capture a dump when an unhandled exception occurs. If followed with 1, also captures a dump on a first-chance exception.
-b Used with –e, treats breakpoints as exceptions. Otherwise it ignores them.
-t Capture a dump when the process terminates.
-p counter threshold Captures a dump when the named performance counter exceeds the threshold.
Dump File Options
-ma Include all process memory in the dump.
-mp “Miniplus”: creates the equivalent of a full dump but with large allocations omitted.
-r Reflect (clone) the process for the dump to minimize the time the process is suspended. (Requires Windows 7 or Windows Server 2008 R2 or higher.)
-o Overwrite an existing dump file.
-64 Create a 64-bit dump of the target process. (x64 editions of Windows only.)
AccessChk command line optionsaccesschk [options] [user-or-group] objectnameOption Description
Object Type
-d Object name represents a container; report permissions on that object rather than on its contents
-k Object name represents a registry key
-c Object name represents a Windows service
-p Object name is the PID or (partial) name of a process
-f Used with –p, shows full process token information for specified process
-o Object name represents an object in the Windows object manager namespace
-tUsed with –o, -t type specifies the object typeUsed with –p, reports permissions for the process’ threads
-a Object name represents an account right
Searching for Access Rights
-s Recurse container hierarchy
-n Show only objects that grant no access (usually used with user-or-group)
-w Show only objects that grant Write access
-r Show only objects that grant Read access
-e Show only objects that have explicitly set integrity levels (Vista and higher)
Output
-l Shows Access Control List (ACL) rather than effective permissions
-u Suppress errors
-v Verbose
-q Quiet (suppresses banner)
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.